Policy | Security | Investigation

lawsuit

September 11, 2009

Law and politics give institutions incentive to collect and archive plentiful records. The best way to maintain plentiful records in practice is to archive email.

Records are evidence of due diligence and responsible corporate behavior. In the past, records were expensive to keep and manage. But costs are plummeting as information technology advances.

A case in point: The use of a taser in police work is controversial because, legally speaking, officers should use it only when circumstances warrant. But proving, after-the-fact, what the circumstances were can be difficult. So the company that makes tasers sees an opportunity. Recognizing that the cost of gathering and storing video evidence is declining, the company has developed a video camera for police officers to wear while on duty. The camera will capture trainloads of data. The company has further developed a technology for economically storing and managing that data. Veronica Dagher, “New Taser 'Shoots' Evidence,” Wall St. J., Sept. 2, 2009.

Update: A police officer in Fort Smith, Arkansas, was wearing a video camera when he fatally shot a gunman, November 2009. The police department released the video record to local media. The local prosecutor investigated the shooting, and part of the investigation included review of the video record. The prosecutor concluded that the officer acted lawfully, as he had ordered he gunman nine times to drop the gun he was pointing at officers.

For an enterprise like a police department or a doctors' office, greater quantities of records can mean reduced risk of liability for negligence (tort). Good records support a defendant’s position that its people exercised due care and it therefore is not liable.

For physicians, lawyers and other professionals, classic advice for the avoidance of malpractice claims is to make and retain thorough records of services performed.

In this technological age, hidden cameras and surprise evidence are becoming more common. They can embarrass an organization, as they did ACORN, a high-profile advocacy group for the poor.

Yet, surprise evidence may evaporate if the organization maintains its own detailed records that counteract the surprise. Example: In the famous murder prosecution of Carolyn Warmus, a key issue was whether she placed a phone call to a gun shop. At trial, her defense team produced “surprise evidence” – an original telephone bill – showing she did not make the call. But the evidence backfired because the prosecution established that the “original” bill was in fact a forgery. It did so by drawing on secure computer records at the telephone company and testimony from a telephone company employee.

The electronic records in an enterprise such as a government agency are often in diverse formats and locations, which makes long-term retention and management difficult. The enterprise therefore has incentive to emphasize the archiving of electronic messages such as e-mail. Three reasons:

1. Electronic messages represent a detailed, time-stamped diary of many of the day-to-day activities and intentions of the executives and staff at the enterprise.

2. The IT industry has fielded numerous, competitive products for archival of enterprise electronic messages. Good archive products support economical retention and rigorous searching of records. Good archival includes storage of records in a non-proprietary format like XML.

3. If electronic messages are the focal point for record archiving, then the enterprise can direct employees to use electronic messages generously as the journal of their activities. Journaling can include attaching to email documents like spreadsheets or (short) videos.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

August 31, 2009

Accepted “best practice” says employees like executives should review e-mails and documents one-by-one and decide which to keep and which to destroy. The rationale behind the practice is that it is imprudent to retain all records. This practice further holds that employees should be trained not to keep insignificant documents and email messages, lest record archives fill up with junk, making search for important records more difficult. One more tenet of the best practice is that when litigation is anticipated, the destruction of e-mail and documents (even insignificant messages) related to the topic of the litigation should cease so that records are not spoliated.

Accepted best practice suffered another blow in court. In Goodman v. Praxair Services, Inc., 2009 WL 1955805 (D.Md. July 7, 2009), the court sanctioned a corporation for failing to keep all of an executive’s emails and e-documents on a topic after litigation was threatened, even though during the time in question the executive kept what she deemed to be “relevant” e-mails and documents, while allowing only “irrelevant” ones to be destroyed.

Risk

The case spotlights a big risk associated with the accepted best practice: Knowing when and how to apply a litigation hold is tricky. The danger sprouts from the proclivity of courts to second-guess an enterprise after it, acting through its employees, makes a decision. Although an enterprise makes a decision about whether to implement a litigation hold on Day Number 1 (when the enterprise knows little about the potential lawsuit that may or may not materialize), the court’s review of that decision may happen on Day Number 2601, long after the lawsuit is underway and at a time when it is clear what the focus of the lawsuit is.

Even after the decision to initiate a litigation hold has been made, the hold is hard to implement in practice. If, before the litigation hold, the enterprise's default practice is to destroy records, then to make and enforce an exception to the default for precisely the right records is not easy.

Facts

So what happened in the Goodman case?

First: According to allegation by a consultant, the consultant and the CEO of a corporation speak by telephone (end of December 2000) concerning a disagreement over compensation to the consultant under a contract. Allegedly, the CEO suggested that the consultant take a small amount to settle the matter rather than having to sue the corporation to win more money.

Second: The consultant stated to the corporation in a letter dated January 5, 2001, that he had consulted two attorneys concerning this contract dispute. The letter spoke generally about the possibility that the consultant would pursue a lawsuit on the matter, without forcefully threatening it.

Third: February 19, 2001, the consultant sent a stronger letter threatening litigation.

Fourth: After receipt of the February 19 letter, the corporation’s CEO instituted a litigation hold on all then-existing e-mails and other documents related to the matter in her possession. [What is a "litigation hold" aka "legal hold"? It is a procedure whereby a party, anticipating or knowing of a lawsuit or legal investigation, takes special steps to prevent the loss of records that would normally be destroyed.] The CEO initiated this litigation hold on her own initiative. It was not formally instituted throughout the company and was not instituted under the supervision of counsel. The litigation hold ultimately proved to be imperfect, as the court suspected some relevant documents were destroyed when the CEO’s laptop was later discarded.

Fifth: Before February 19, the CEO’s usual practice was to review each of her e-mails and documents, print the relevant ones (that is, relevant in her eyes) and delete the others.

Sixth: The court seemed to believe that the CEO deleted some e-mailed related to the topic of the lawsuit between January 5 and February 19, although the court did not specifically identify any such e-mails or their content.

Seventh: Despite the litigation hold, the corporation eventually discarded the CEO’s laptop, which, in the opinion of the court, might have held some relevant records. Although the court did not have conclusive evidence that any particular relevant record was destroyed, it distrusted the practice whereby the CEO decided what was and was not relevant. Said the court, “The argument of an accused spoliator that it did not violate its duty to preserve evidence because it retained the ‘relevant’ information and only deleted ‘irrelevant’ information rings particularly hollow. The ultimate decision of what is relevant is not determined by a party's subjective assessment filtered through its own perception of self-interest.”

Three years after the consultant sent the letters identified above, the consultant sued and sought e-discovery for all of the CEO’s relevant e-mails and e-documents. The corporation turned over the records it had. The corporation said it had not required to institute a litigation hold until February 19, 2001, because until then it could not have reasonably expected the topic to materialize into a lawsuit. The corporation further argued that nothing relevant had been destroyed because the CEO kept what she thought was relevant.

Ruling: Spoliation

The court, however, ruled that the corporation had committed spoliation because it should have applied a litigation hold on all the CEO’s email and e-documents touching on the subject of the lawsuit, starting from the January 5, 2001, letter. (As I said, that’s the letter that talked generally about a lawsuit, without forcefully threatening it.) Instead, the CEO said her legal hold started with the February 19 letter.

The key to this case is that the court believed the litigation hold started too late. The court seemed suspicious that the CEO destroyed some relevant evidence between January 5 and February 19, although the court could not specifically put its finger on what that evidence was.

Punishment: Strategic Disadvantage in Lawsuit

To punish the spoliation, the court dealt the corporation a strategic disadvantage. It said that when the jury is empaneled as the lawsuit goes to trial, the jury will be informed that the corporation was negligent in its preservation of relevant e-mails and electronic documents. This strategic disadvantage could make it more difficult for the corporation to win the case. (See important footnote below.)

The court further held that the consultant would be entitled to reimbursement from the corporation for some of the consultant’s litigation costs in pursuing the spoliation complaint.

Analysis: Incentive for More Generous Retention

The court’s application of law to the facts of this case fails to persuade me. I respectfully observe that the court could not identify any relevant record that had been destroyed and could not establish that any such record had been destroyed. Nevertheless, the opinion is influential because it was written by a federal magistrate judge, Paul W. Grimm, who is considered a leader in the law of ediscovery.

Regardless of whether the court applied the law correctly, the case continues a distinct trend in American jurisprudence. In this decade, courts have tended to expect enterprise electronic mail records to be well preserved and are suspicious if they are not. Selective printing of e-mail by executives has evoked judicial skepticism.

What does this case, and the trend which it continues, tell people who craft real-world policies for the review, retention and destruction of enterprise electronic mail? They suggest that policy makers are wiser to keep all the records of important people a long time. They suggest that the accepted “best practice” is under siege.

Safer Practice: Keep More Email of Important People

But wait. The Goodman court did not say that a corporation must keep all the records of important people. All the court said was “don’t spoliate,” which strictly speaking means don’t destroy records when you have reason to believe they will be needed for future litigation. That’s easier said than done. My experience says it is very hard in practice for an enterprise to divine what a court (which has not even been selected yet because no lawsuit has been filed) may consider important several years in the future. Further, few organizations can afford to have lawyers regularly engaged in analysis as to whether a legal hold should be applied at this time to these records versus that time for those records. Therefore, the safer practice is to keep a lot of digital records, as the cost of digital storage is dropping.

With that said, I believe it is very hard to “keep all the records of important people a long time.” As archival technology advances, that may become easier.

However, as of today, I argue that an enterprise is wise to place emphasis on the long-term retention of e-mail by executives and other decision-makers. The reason is that email is a choke point in the modern enterprise. It records rich, time-stamped detail about the activities of the enterprise, including copies of, references to or links to documents like spreadsheets.

Email is not a comprehensive journal of the activities in an enterprise, but it is key, and the technology available for archiving it is relatively well-developed and economical to implement.

–Benjamin Wright

A practicing attorney, Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Footnote: I don’t wish to overstate the severity of the sanction the court applied in this case. The court held that the consultant “is entitled to an adverse jury instruction . . . with respect to [the corporation]'s failure to preserve [the CEO]'s laptop and [the CEO]'s failure to preserve her relevant emails and documents. The appropriate instruction would be a general adverse instruction that permits, but does not require, the jury to draw an adverse inference against [the corporation] as a result of its violation of the duty to preserve relevant evidence.” Although this does deal an advantage to the consultant, it is not a decisive advantage. The corporation may be able to overcome it and still prevail at trial. The sanction is less severe than the sanction in some other leading e-spoliation cases. Hence, Goodman should not be taken as earth-rocking authority for the proposition that enterprises will be treated harshly if they rely on executives to decide, one-by-one, which record is relevant for retention and which is not.

November 04, 2008

Just as legislatures should stay away from writing technical data security specifications, regulatory authorities should shy away too. An example of an unhelpful technical regulation comes from the well-meaning Massachusetts Office of Consumer Affairs and Business Regulation. It published regulations on the protection of personal information, 201 CMR 17.00. Section 17.04(5) requires "encryption" of personally identifiable data on laptops and iPads.

But 17.02 defines "encrypted," as "the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key . . . " Hmm. So under this regulation what does the word "encryption" mean in practice?

"Encryption" seems to include the transformation of data by some means that is at least as good as an algorithm. But which algorithm? The regulation does not really say. Some algorithms are very easy to break. Others are less easy. Few if any commercially useful algorithms are impossible to break.

Would it be reasonable to interpret the 17.02 to allow processes that are easy to break? Maybe not. 17.02 requires the process to transform data “into a form in which meaning cannot be assigned without the use of a confidential process or key”. An easily breakable algorithm does not satisfy the cannot requirement.

OK. So it seems 17.02 excludes an easily breakable algorithm. Next question: What about a algorithm that is hard to break, but not literally impossible to break? Many reasonably good algorithms can eventually be broken if (for example) enough brute force computing power is applied for a long period of time. But if 17.02's word cannot is read literally, then the hard-to-break algorithm would be excluded too. But such a literal reading of the regulation would seem unreasonable because few if any commercially available algorithms are literally impossible to break forever.

Hence, it seems 17.02 requires hard-to-break encryption – but not impossible to break encryption – anytime private data are stored on a laptop. [If in fact that is what the drafters of the regulation mean, then why don’t they explicitly say that?]

So now that we think we better understand the regulation, let’s think more about the technology of encryption. Smart people are constantly seeking spectacular new ways to break good encryption. And every so often they succeed. For example, Wired Equivalent Privacy or WEP encryption was broken a few years after it came into wide use.

Given that strong encryption is proven from time to time to be weak, encryption users have to upgrade their technology every so often. When they hear that their current encryption has been broken, they shift to something else. Section 17.02 could reasonably be read to require this upgrading process.

Assuming 17.02 does require periodic upgrading, please consider this scenario: A Massachusetts government agency stores private data on numerous laptops. To comply with 2001 CMR 17.00, the agency implements encryption method X to protect the data. At the time of implementation, method X has a reputation for being good.

As time passes, a lawsuit arises, and the data on the laptops might be relevant to the lawsuit. The agency therefore implements a litigation hold on the data on the laptops, so as to avoid destroying any evidence while the lawsuit is pending.

A lawsuit can take years to conclude. During the pendency of this lawsuit, let's say the agency de-commissions the laptops. Its employees no longer use the laptops. But the agency cannot destroy the data on the laptops on account of the litigation hold. So it stores the laptops in a well-secured warehouse.

More time passes. It becomes widely known in the encryption community that method X is lousy (like WEP); it is breakable. Must the agency now go to the expense of upgrading the encryption on the de-commissioned, physically-secure laptops? Massachusetts regulation 201 CMR 17.00 seems to require such a (senseless) upgrade, for the regulation seems inflexible. The regulation fails to provide discretion to users.

Lesson: Better-written laws just set goals, and let users apply all the methods at their disposal to reach those goals. Unlike 201 CRM 17.00, better laws avoid specifying particular technologies for advancing civil rights like privacy.

Update: Reacting to public criticism, Massachusetts has revised proposed 201 CMR 17.00 many times since first publication. Last I heard, the effective date of the latest version of the regulation is March 1, 2010.

September 28, 2008

Burst.com’s electronic mail records served the company well in its trade secret lawsuit against Microsoft.

Wrongful Withholding of Records?

Burst had held conversations with Microsoft in which it confidentially (under non-disclosure agreement) revealed trade secrets (nonpublic ideas of an inventor) about Burst's streaming media technology. Burst later alleged that Microsoft chose to use these trade secrets without Burst’s consent, and without compensation to Burst.

So Burst sued, claiming misappropriation of trade secrets and breach of contract. During the discovery phase of the lawsuit, Microsoft was required to reveal all of its e-mail records on the topic, and Microsoft did turn over a large number of e-mails regarding its development and use of streaming technology.

But a question arose in court whether Microsoft complied fully with the discovery requirements. Burst contended that Microsoft had wrongfully withheld some e-records or destroyed them. To support its contention, Burst produced numerous of its own email records showing particular exchanges between Burst and Microsoft, where Microsoft had produced no corresponding records on its end. Stefanie Olsen, “Microsoft ordered to uncover old e-mails,” September 10, 2003.

Microsoft's Mismanagement of Records Played to Adversary's Advantage

This mismatch in email records led the court to suspect Microsoft was being evasive. The court ordered Microsoft to sift through backup tapes in search for missing e-records (looking for electronically stored information (ESI) in network backup is a tedious and expensive process!). The court's suspicion, coupled with the order to look through backup, cast Microsoft at a strategic disadvantage, and contributed to company’s decision to settle the case and pay Burst $60 million. Tim Siglin, “Microsoft Settles Burst.com Lawsuit,” March 14, 2005.

The institution retains those three classes of data in a dedicated archival system (more than just normal production records and backup).

East Carolina retains e-mail of top school administrators seven years, then purges it. In my experience, seven years is the traditionally-recognized period for responsible retention of important financial records.

To reduce costs, the university retains archives in tiers. Newer or higher-priority archives are in higher-performance "primary" storage, whereas older archives are relegated to slower storage, outside the network backup program.

On the topic of tiers, I’ll go one step further than what I read about East Carolina U. I envision another, even lower and less expensive tier, where archives are retained and organized but not accessible by fully-automated means.

From the perspective of e-discovery theory, a rationale for tiered storage is this: E-discovery law is most intolerant when records are destroyed too early. In the e-records world, too-early destruction is the most common type of "spoliation" or "obstruction of justice". E-discovery law is also intolerant (but maybe a bit less so) when a litigant possesses records, but she doesn’t know it and can’t find them.

Finally, e-discovery law seems to be more tolerant when a litigant possesses records, knows she possesses them, knows more or less where they are, but just can't get to them very easily. When this is the case in a lawsuit, a litigant is much less likely to be charged with spoliation. Instead, the plaintiff and defendant are prone to go before the judge and argue about the extent to which the dusty old e-archives are important and about who should pay for how much of the cost of retrieving them.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.